Windows SSL/TLS Flaw Is No Heartbleed

NEWS ANALYSIS A week after media hype over a Windows SSL/TLS patch, it hasn't been exploited. Yet other Microsoft Patch Tuesday updates were already exploited.

security patches

Among the 33 flaws for which Microsoft delivered fixes in its Patch Tuesday update last week was CVE-2014-6321, a remote code execution vulnerability in the Microsoft Secure Channel (Schannel) security technology, which provides Secure Sockets Layer/Transport Layer Security (SSL/TLS) cryptographic capabilities.

Although many media reports last week alleged that the Schannel flaw was a Windows equivalent of the nefarious Heartbleed vulnerability, that is not the case. The real vulnerability that users should be worried about is something else entirely.

Heartbleed—a vulnerability in the open-source OpenSSL cryptographic library widely used in servers, end-user systems and mobile devices—was exploited rapidly. In one high-profile case Heartbleed was used to attack the Canada Revenue Agency, delaying the tax filing date for tens of millions of Canadians.

However, a week after Microsoft patched the Schannel vulnerability, it has had no such impact. In fact, the first proof-of-concept (POC) code for the CVE-2014-6321 vulnerability has only now just emerged.

Josh Feinblum, vice president of information security at Rapid7, told eWEEK that, to date, his firm has not seen any payloads enabling remote code execution as a result of CVE-2014-6321. Rapid7 is also the primary commercial sponsor behind the open-source Metasploit penetration-testing framework, which is often the first place exploit code lands in a form that researchers can use to test vulnerabilities.

"The Metasploit content team and community have been researching the issue, but no payloads are imminent," Feinblum said.

Robert Freeman, IBM X-Force research manager, told eWEEK that his organization has not observed in-the-wild exploitation of the CVE-2014-6321 Schannel issue either.

"I have seen some anecdotal evidence that Immunity is working on a module for their CANVAS product, but I haven't see anything public on this," Freeman said. "I suspect that exploiting this bug is not trivial, and it might be prone to cause crashes instead of remote-code execution."

Security firm BeyondTrust has published a blog post with one of the most extensive descriptions of the CVE-2014-6321 issue. The goal of the blog post is to illustrate publicly that there are some serious Schannel-related vulnerabilities that were fixed, Marc Maiffret, CTO of BeyondTrust, explained to eWEEK. "This is helpful both for protection vendors to verify their mitigations and to illustrate the importance for IT security teams to make this a priority patch to deploy if they have not already," Maiffret said. "Creating a full, working, reliable exploit for any of these Schannel vulnerabilities is still difficult, but it is more a matter of time in some cases."

Microsoft itself has not revealed much detail on the Schannel flaws.

The BeyondTrust research team employed several reverse-engineering techniques to discover code changes between the patched and unpatched code, Maiffret said. "This helped narrow down specifically how to eventually reproduce and trigger the flaw," he said.

Though BeyondTrust has been able to dig into the flaw, it hasn't seen any public exploit for the vulnerability. "We have seen a lot of debate around this specific Microsoft security bulletin and simply wanted to add what we know into the mix to help people better prioritize this vulnerability," he said.

What Is Being Exploited?

While the CVE-2014-6321 vulnerability is not being actively exploited, other vulnerabilities fixed by the Microsoft November Patch Tuesday update are another story.

"We have seen payloads for the Internet Explorer vulnerability patched by MS14-064," Rapid7's Feinblum said.

The MS14-064 update is a cumulative update for Microsoft's Internet Explorer browser that fixes 17 different CVEs.

Another set of high-priority fixes in the Microsoft November Patch Tuesday update was for CVE-2014-6352 and CVE-2014-6332. The CVE-2014-6352 issue is related to the Sandworm flaw, identified as CVE-2014-4114, which is a zero-day flaw in Microsoft's object linking and embedding (OLE) technology.

"CVE-2014-4114 is related to CVE-2014-6352 in that 6352 is another path to the same problem," IBM's Freeman said. "My disclosure, CVE-2014-6332, also affects OLE but in a novel way."

Through a data-manipulation attack, many exploitation scenarios are possible with CVE-2014-6332, including running unsafe COM objects on all versions of Windows, from Windows 95 onwards, Freeman explained. That means the CVE-2014-6332 is potentially a flaw that took 19 years to be discovered and fixed. "The short answer is, I don't know why it took so long for this bug to be uncovered," Freeman said. "It's possible that other researchers may have run into it and likely discarded it because it's extremely complex to exploit."

That complexity is also translating into a lack of exploitation as well. Freeman noted that for the past six months, IBM has been monitoring for exploits of CVE-2014-6332 in the wild and has not detected any activity as of yet.

"However, a Metasploit module was released for CVE2104-6332 on Thursday [Nov. 13]," Freeman said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.